Document Details

Migrate Run As Accounts Managed Identity
Home / Scan 2 / Migrate Run As Accounts Managed Identity
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ missing_linux_example
⚠️ windows_tools
⚠️ windows_first
Summary:
The documentation demonstrates a strong bias toward Windows and PowerShell environments. All code samples, migration steps, and runbook examples exclusively use PowerShell cmdlets and scripts, with no mention of Linux shell (Bash), Python, or cross-platform automation approaches. The documentation assumes the use of Windows-centric tools and workflows, such as PowerShell modules (Az, AzureRM), and does not provide equivalent guidance or examples for Linux-based Automation accounts or hybrid workers running on Linux. The order and language also assume PowerShell as the default, reinforcing a Windows-first perspective.
Recommendations:
  • Add equivalent examples using Azure CLI (az) and/or Python SDK for runbook authentication and resource management, demonstrating how to migrate from Run As accounts to managed identities in Linux-based runbooks.
  • Include sample scripts for Bash and Python runbooks, showing how to authenticate with managed identities and perform common automation tasks.
  • Explicitly mention support for Linux hybrid runbook workers, and provide migration guidance and troubleshooting steps specific to Linux environments.
  • Clarify in prerequisites and migration steps that both Windows and Linux runbook environments are supported, and link to platform-specific documentation where appropriate.
  • Balance the order of presentation so that cross-platform or Linux-native tools (e.g., Azure CLI, Python) are mentioned alongside or before PowerShell, to avoid reinforcing a Windows-first mindset.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ❌ Biased
2025-07-09 13:09 #3 cancelled ✅ Clean
2025-07-08 04:23 #2 cancelled ❌ Biased

Flagged Code Snippets

--- ### View client ID of user assigned identity 1. In your Automation account, under **Account Settings**, select **Identity**. 1. In **User assigned** tab, select user assigned identity. :::image type="content" source="./media/migrate-run-as-account-managed-identity/user-assigned-inline.png" alt-text="Screenshot that shows the navigation path to view client ID." lightbox="./media/migrate-run-as-account-managed-identity/user-assigned-expanded.png"::: 1. Go to **Overview**> **Essentials**, to view the **Client ID**. :::image type="content" source="./media/migrate-run-as-account-managed-identity/view-client-id-inline.png" alt-text="Screenshot that shows how to view a client ID." lightbox="./media/migrate-run-as-account-managed-identity/view-client-id-expanded.png"::: ## Graphical runbooks ### Check if a Run As account is used in graphical runbooks 1. Check each of the activities within the runbook to see if it uses the Run As account when it calls any logon cmdlets or aliases, such as `Add-AzRmAccount/Connect-AzRmAccount/Add-AzAccount/Connect-AzAccount`. :::image type="content" source="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-inline.png" alt-text="Screenshot that illustrates checking if a graphical runbook uses a Run As account." lightbox="./media/migrate-run-as-account-managed-identity/check-graphical-runbook-use-run-as-expanded.png"::: 1. Examine the parameters that the cmdlet uses. :::image type="content" source="./media/migrate-run-as-account-managed-identity/activity-parameter-configuration.png" alt-text="Screenshot that shows examining the parameters used by a cmdlet."::: For use with the Run As account, the cmdlet uses the `ServicePrincipalCertificate` parameter set to `ApplicationId`. `CertificateThumbprint` will be from `RunAsAccountConnection`. :::image type="content" source="./media/migrate-run-as-account-managed-identity/parameter-sets-inline.png" alt-text="Screenshot that shows parameter sets." lightbox="./media/migrate-run-as-account-managed-identity/parameter-sets-expanded.png"::: ### Edit a graphical runbook to use a managed identity You must test the managed identity to verify that the graphical runbook is working as expected. Create a copy of your production runbook to use the managed identity, and then update your test graphical runbook code to authenticate by using the managed identity. You can add this functionality to a graphical runbook by adding the `Connect-AzAccount` cmdlet. The following steps include an example to show how a graphical runbook that uses a Run As account can use managed identities: 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Open the Automation account, and then select **Process Automation** > **Runbooks**. 1. Select a runbook. For example, select the **Start Azure V2 VMs** runbook from the list, and then select **Edit** or go to **Browse Gallery** and select **Start Azure V2 VMs**. :::image type="content" source="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-inline.png" alt-text="Screenshot of editing a graphical runbook." lightbox="./media/migrate-run-as-account-managed-identity/edit-graphical-runbook-expanded.png"::: 1. Replace the Run As connection that uses `AzureRunAsConnection` and the connection asset that internally uses the PowerShell `Get-AutomationConnection` cmdlet with the `Connect-AzAccount` cmdlet. 1. Select **Delete** to delete the `Get Run As Connection` and `Connect to Azure` activities. :::image type="content" source="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-inline.png" alt-text="Screenshot to connect to the Azure activities." lightbox="./media/migrate-run-as-account-managed-identity/connect-azure-graphical-runbook-expanded.png"::: 1. In the left panel, under **RUNBOOK CONTROL**, select **Code** and then select **Add to canvas**. :::image type="content" source="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-inline.png" alt-text="Screenshot to select code and add it to the canvas." lightbox="./media/migrate-run-as-account-managed-identity/add-canvas-graphical-runbook-expanded.png"::: 1. Edit the code activity, assign any appropriate label name, and select **Author activity logic**. :::image type="content" source="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-inline.png" alt-text="Screenshot to edit code activity." lightbox="./media/migrate-run-as-account-managed-identity/author-activity-log-graphical-runbook-expanded.png"::: 1. In the **Code Editor** page, enter the following PowerShell code and select **OK**.